On this page
SSF Transmitter SET payload structures
Okta uses the Shared Signals Framework (SSF) (opens new window) to send security-related events and other data-subject signals to third-party security vendors.
To enable the transmission of signals from Okta, you must create an SSF stream (opens new window) using the SSF Transmitter API (opens new window). Then, configure the third-party receiver to accept signals from Okta.
Note: See Configure a shared signal transmitter (opens new window) to use the Admin Console to configure an SSF transmitter.
Supported events
The Okta SSF Transmitter currently supports two types of Continuous Access Evaluation Protocol (CAEP) (opens new window) events: Session Revoked (opens new window) and Credential Change (opens new window). Those events are mapped to an Okta event.
The following Okta event (opens new window) is mapped to the CAEP Session Revoked event: user.session.end
The following Okta events (opens new window) are mapped to the CAEP Credential Change event:
user.mfa.factor.activate
user.mfa.factor.deactivate
user.mfa.factor.reset_all
user.mfa.factor.suspend
user.mfa.factor.unsuspend
user.mfa.factor.update
user.account.reset_password
user.account.update_password
SET JWT schemas
SETs are a type of JSON Web Token (JWT) that must comply with the SET RFC (opens new window).
Use the following links to learn more about the SET structure that Okta supports:
SET JWT payload examples
The following are examples of the JWT payload when an Okta event is fired.
CAEP Session Revoked - user.session.end
{
"iss":"https://org.okta.com",
"jti":"24c63fb56e5a2d77a6b512616ca9fa24",
"iat":1615305159,
"aud":"https://sp.example.com/caep",
"events":{
"https://schemas.openid.net/secevent/caep/event-type/session-revoked":{
"subject":{
"format":"iss_sub",
"iss":"https://org.okta.com",
"sub":"okta-user-id1"
},
"reason_admin":{
"en":"User logout from Okta"
},
"event_timestamp":1615304991643
}
}
}
CAEP Credential Change - user.mfa.factor.activate
{
"iss": "https://transmitter.okta.com",
"jti": "set-07efd930f0977e4fcc1149a733ce7f78",
"iat": 1615305159,
"aud": "https://receiverexample.com",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/credential-change": {
"subject": {
"format": "iss_sub",
"iss": "https://transmitter.okta.com",
"sub": "okta-user-id1"
},
"credential_type": "fido2-roaming",
"change_type": "create",
"fido2_aaguid": "accced6a-63f5-490a-9eea-e59bc1896cfc",
"friendly_name": "FIDO_WEBAUTHN",
"initiating_entity": "user",
"reason_admin": {
"en": "Activate factor for user"
},
"event_timestamp": 1615304991643
}
}
}
CAEP Credential Change - user.mfa.factor.deactivate
{
"iss": "https://transmitter.okta.com",
"jti": "set-07efd930f0977e4fcc1149a733ce7f78",
"iat": 1615305159,
"aud": "https://receiverexample.com",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/credential-change": {
"subject": {
"format": "iss_sub",
"iss": "https://transmitter.okta.com",
"sub": "okta-user-id1"
},
"credential_type": "x509",
"change_type": "delete",
"friendly_name": "SMART_CARD",
"initiating_entity": "user",
"reason_admin": {
"en": "Reset factor for user"
},
"event_timestamp": 1615304991643
}
}
}
CAEP Credential Change - user.mfa.factor.reset_all
{
"iss": "https://transmitter.okta.com",
"jti": "set-07efd930f0977e4fcc1149a733ce7f78",
"iat": 1615305159,
"aud": "https://receiverexample.com",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/credential-change": {
"subject": {
"format": "iss_sub",
"iss": "https://transmitter.okta.com",
"sub": "okta-user-id1"
},
"credential_type": "ALL_FACTORS",
"change_type": "revoke",
"friendly_name": "ALL_FACTORS",
"initiating_entity": "user",
"event_timestamp": 1615304991643
}
}
}
CAEP Credential Change - user.mfa.factor.suspend
{
"iss": "https://transmitter.okta.com",
"jti": "set-07efd930f0977e4fcc1149a733ce7f78",
"iat": 1615305159,
"aud": "https://receiverexample.com",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/credential-change": {
"subject": {
"format": "iss_sub",
"iss": "https://transmitter.okta.com",
"sub": "okta-user-id1"
},
"credential_type": "OKTA_VERIFY_PUSH",
"change_type": "update",
"friendly_name": "OKTA_VERIFY_PUSH",
"initiating_entity": "user",
"reason_admin": {
"en": "Suspend factor for user"
},
"event_timestamp": 1615304991643
}
}
}
CAEP Credential Change - user.mfa.factor.unsuspend
{
"iss": "https://transmitter.okta.com",
"jti": "set-07efd930f0977e4fcc1149a733ce7f78",
"iat": 1615305159,
"aud": "https://receiverexample.com",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/credential-change": {
"subject": {
"format": "iss_sub",
"iss": "https://transmitter.okta.com",
"sub": "okta-user-id1"
},
"credential_type": "phone-sms",
"change_type": "update",
"friendly_name": "SMS_FACTOR",
"initiating_entity": "user",
"reason_admin": {
"en": "Unsuspend factor for user"
},
"event_timestamp": 1615304991643
}
}
}
CAEP Credential Change - user.mfa.factor.update
{
"iss": "https://transmitter.okta.com",
"jti": "set-07efd930f0977e4fcc1149a733ce7f78",
"iat": 1615305159,
"aud": "https://receiverexample.com",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/credential-change": {
"subject": {
"format": "iss_sub",
"iss": "https://transmitter.okta.com",
"sub": "okta-user-id1"
},
"credential_type": "DUO_SECURITY",
"change_type": "update",
"friendly_name": "DUO_SECURITY",
"initiating_entity": "user",
"reason_admin": {
"en": "Update factor for user"
},
"event_timestamp": 1615304991643
}
}
}
CAEP Credential Change - user.account.reset_password
{
"iss": "https://transmitter.okta.com",
"jti": "set-07efd930f0977e4fcc1149a733ce7f78",
"iat": 1615305159,
"aud": "https://receiverexample.com",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/credential-change": {
"subject": {
"format": "iss_sub",
"iss": "https://transmitter.okta.com",
"sub": "okta-user-id1"
},
"credential_type": "password",
"change_type": "revoke",
"friendly_name": "PASSWORD_AS_FACTOR",
"initiating_entity": "user",
"reason_admin": {
"en": "Fired when the user's Okta password is reset"
},
"event_timestamp": 1615304991643
}
}
}
CAEP Credential Change - user.account.update_password
{
"iss": "https://transmitter.okta.com",
"jti": "set-07efd930f0977e4fcc1149a733ce7f78",
"iat": 1615305159,
"aud": "https://receiverexample.com",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/credential-change": {
"subject": {
"format": "iss_sub",
"iss": "https://transmitter.okta.com",
"sub": "okta-user-id1"
},
"credential_type": "password",
"change_type": "revoke",
"friendly_name": "PASSWORD_AS_FACTOR",
"initiating_entity": "user",
"reason_admin": {
"en": "User update password for Okta"
},
"event_timestamp": 1615304991643
}
}
}